Microsoft: Criminals can access your accounts without your password

Have you ever felt like just when you’ve nailed your cyber security – BAM! – something new comes along to throw a spanner in the works?

That’s exactly what’s happening right now.

There’s a new scam doing the rounds. And it’s catching out businesses just like yours.

The worst part?

Cyber criminals don’t even need your password.

Scary…

It’s called device code phishing. It’s a clever trick that’s becoming more and more popular. Microsoft recently flagged a wave of these attacks, and we’re likely to see many more.

This one’s different to the usual phishing scams you’ve probably heard about. Normally, phishing is all about tricking people into giving away their usernames and passwords on fake websites.

But with device code phishing, scammers play a smarter game.

Instead of stealing your password, they get you to voluntarily give them access to your account. And they do it using real Microsoft login pages, so it looks totally legit.

It usually starts with a convincing email. Maybe it looks like it’s from your HR person, or a colleague, inviting you to a Microsoft Teams meeting. You click the link, and it takes you to a real Microsoft login screen.

Nothing seems out of place.

You’re asked to enter a code. Just a short one, called a “device code.” This code is supplied in the email, and you’re told it’s needed to join the meeting or finish logging in.

Here’s the catch: By entering that code, you’re not logging yourself in… you’re logging them in.

You’re unknowingly giving the attacker access to your Microsoft account on their device. And because the login goes through the proper channels, it can even bypass multi-factor authentication (MFA).